Release Notes for
the Cisco ASA Series, 9.6(x)

Important
Notes

Potential Traffic Outage (9.6(2.1) through 9.6(3))—Due to bug CSCvd78303, the ASA may stop passing traffic after 213 days of uptime. The effect on each network will be different, but it could range from an issue of limited connectivity to something more extensive like an outage. You must upgrade to a new version without this bug, when available. In the meantime, you can reboot the ASA to gain another 213 days of uptime. Other workarounds may be available. See Field Notice FN-64291 for affected versions and more information.

The ASAv
9.5.2(200) features, including Microsoft Azure support, are not available in
9.6(1).
They are available in 9.6(2).

(ASA 9.6.2)
Upgrade impact when using multiple-mode configuration—When upgrading from 9.5.2
to 9.6.1 and then subsequently to 9.6.2, any existing RAVPN for multiple-mode
configuration will stop working. Post upgrade to the 9.6.2 image, a
reconfiguration to give each context a storage space and to get new AnyConnect
images in all of the contexts is required.

(ASA 9.6(2))
Upgrade impact when using SSH public key authentication—Due to updates to SSH
authentication, additional configuration is required to enable SSH public key
authentication; as a result, existing SSH configurations using public key
authentication no longer work after upgrading. Public key authentication is the
default for the ASAv on Amazon Web Services (AWS), so AWS users will see this
issue. To avoid loss of SSH connectivity, you can update your configuration
before you
upgrade. Or you can use ASDM after you upgrade (if you enabled ASDM access) to
fix the configuration.

We recommend
setting a password for the username as opposed to keeping the
nopassword
keyword, if present. The
nopassword
keyword means that
any
password can be entered, not that
no
password can be entered. Prior to 9.6(2), the
aaa command
was not required for SSH public key authentication, so the
nopassword
keyword was not triggered. Now that the
aaa command
is required, it automatically also allows regular password authentication for a
username if
the
password (or
nopassword)
keyword is present.

After you
upgrade, the
username
command no longer requires the
password or
nopassword
keyword; you can require that a user cannot enter a password. Therefore, to
force public key authentication only, re-enter the
username
command:

username admin privilege 15

Upgrade impact
when upgrading the ASA on the Firepower 9300— Due to license entitlement naming
changes on the back-end, when you upgrade to ASA 9.6(1)/FXOS 1.1.4, the startup
configuration may not parse correctly upon the initial reload; configuration
that corresponds to add-on entitlements is rejected.

For a
standalone ASA, after the unit reloads with the new version, wait until all the
entitlements are processed and are in an "Authorized" state (show license all), and simply reload again (reload)
without
saving the configuration. After the reload, the startup configuration will be
parsed correctly.

For a failover
pair if you have any add-on entitlements, follow the upgrade procedure in the
FXOS release notes, but reset failover after you reload each unit (failover
reset).

For a cluster,
follow the upgrade procedure in the FXOS release notes; no additional action is
required.

ASA 5508-X and
5516-X upgrade issue when upgrading to 9.5(x) or later—Before you upgrade to
ASA Version 9.5(x) or later, if you never enabled jumbo frame reservation then
you must check the maximum memory footprint. Due to a manufacturing defect, an
incorrect software memory limit might have been applied. If you upgrade to
9.5(x) or later before performing the below fix, then your device will crash on
bootup; in this case, you must downgrade to 9.4 using ROMMON (Load an Image for the ASA
5500-X Series Using ROMMON), perform the below procedure, and then
upgrade again.

If a value
less than
456,384,512 is returned for “Max memory footprint,” then the
failure condition is present, and you must complete the remaining steps before
you upgrade. If the memory shown is 456,384,512 or greater, then you can skip
the rest of this procedure and upgrade as normal.

Enter global
configuration mode:

ciscoasa# configure terminal
ciscoasa(config)#

Temporarily
enable jumbo frame reservation:

ciscoasa(config)# jumbo-frame reservation
WARNING: This command will take effect after the running-config
is saved and the system has been rebooted. Command accepted.
INFO: Interface MTU should be increased to avoid fragmenting
jumbo frames during transmit

The RSA
toolkit version used in ASA 9.x is different from what was used in ASA 8.4,
which causes differences in PKI behavior between these two versions.

For example,
ASAs running 9.x software allow you to import certificates with an
Organizational Name Value (OU) field length of 73 characters. ASAs running 8.4
software allow you to import certificates with an OU field name of 60
characters. Because of this difference, certificates that can be imported in
ASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x
certificate to an ASA running version 8.4, you will likely receive the error,
"ERROR: Import PKCS12 operation failed.

System
Requirements

This section lists the system
requirements to run this release.

ASA and ASDM
Compatibility

For information about ASA/ASDM
software and hardware requirements and compatibility, including module
compatibility, see
Cisco ASA Compatibility.

Released: December 13, 2017

New Features in ASA
9.6(3.1)

Released: April
3, 2017

Separate
authentication for users with SSH public key authentication and users with
passwords

In
releases prior to 9.6(2), you could enable SSH public key authentication
(ssh
authentication) without also explicitly enabling AAA SSH
authentication with the Local user database (aaa authentication ssh console LOCAL). In 9.6(2),
the ASA required you to explicitly enable AAA SSH authentication. In this
release, you no longer have to explicitly enable AAA SSH authentication; when
you configure the
ssh
authentication command for a user, local authentication is
enabled by default for users with this type of authentication. Moreover, when
you explicitly configure AAA SSH authentication, this configuration only
applies for for usernames with
passwords, and you can use any AAA server type (aaa authentication ssh console radius_1, for
example). For example, some users can use public key authentication using the
local database, and other users can use passwords with RADIUS.

We did not modify any commands.

New Features in ASA
9.6(2)

Released:
August 24, 2016

Feature

Description

Platform Features

ASA for
the Firepower 4150

We
introduced the ASA for the Firepower 4150.

Requires
FXOS 2.0.1.

We did not add or modify any commands.

Hot Plug
Interfaces on the ASAv

You can
add and remove Virtio virtual interfaces on the ASAv while the system is
active. When you add a new interface to the ASAv, the virtual machine detects
and provisions the interface. When you remove an existing interface, the
virtual machine releases any resource associated with the interface. Hot plug
interfaces are limited to Virtio virtual interfaces on the Kernel-based Virtual
Machine (KVM) hypervisor.

Microsoft Azure support on the ASAv10

Microsoft Azure is a public cloud environment that uses a
private Microsoft Hyper V Hypervisor. The ASAv runs as a guest in the Microsoft
Azure environment of the Hyper V Hypervisor. The ASAv on Microsoft Azure
supports one instance type, the Standard D3, which supports four vCPUs, 14 GB,
and four interfaces.

Also in 9.5(2.200).

Through
traffic support on the Management 0/0 interface for the ASAv

You can
now allow through traffic on the Management 0/0 interface on the ASAv.
Previously, only the ASAv on Microsoft Azure supported through traffic; now all
ASAvs support through traffic. You can optionally configure this interface to
be management-only, but it is not configured by default.

We modified the following command:
management-only

Common
Criteria Certification

The ASA
was updated to comply with the Common Criteria requirements. See the rows in
this table for the following features that were added for this certification:

You can
now inspect STUN traffic for WebRTC applications including Cisco Spark.
Inspection opens pinholes required for return traffic.

We added or modified the following commands:
inspect stun,
show conn
detail,
show service-policy inspect
stun

Application layer health checking for Cisco Cloud Web Security

You can
now configure Cisco Cloud Web Security to check the health of the Cloud Web
Security application when determining if the server is healthy. By checking
application health, the system can fail over to the backup server when the
primary server responds to the TCP three-way handshake but cannot process
requests. This ensures a more reliable system.

You can
now configure how long the system should maintain a connection when the route
used by the connection no longer exists or is inactive. If the route does not
become active within this holddown period, the connection is freed. You can
reduce the holddown timer to make route convergence happen more quickly.
However, the 15 second default is appropriate for most networks to prevent
route flapping.

We added the following command:
timeout
conn-holddown

Also in 9.4(3).

Changes
in TCP option handling

You can
now specify actions for the TCP MSS and MD5 options in a packet’s TCP header
when configuring a TCP map. In addition, the default handling of the MSS,
timestamp, window-size, and selective-ack options has changed. Previously,
these options were allowed, even if there were more than one option of a given
type in the header. Now, packets are dropped by default if they contain more
than one option of a given type. For example, previously a packet with 2
timestamp options would be allowed, now it will be dropped.

You can
configure a TCP map to allow multiple options of the same type for MD5, MSS,
selective-ack, timestamp, and window-size. For the MD5 option, the previous
default was to clear the option, whereas the default now is to allow it. You
can also drop packets that contain the MD5 option. For the MSS option, you can
set the maximum segment size in the TCP map (per traffic class). The default
for all other TCP options remains the same: they are cleared.

We modified the following command:
tcp-options

Transparent mode maximum interfaces per bridge group increased
to 64

The
maximum interfaces per bridge group was increased from 4 to 64.

We did not modify any commands.

Flow
offload support for multicast connections in transparent mode.

You can
now offload multicast connections to be switched directly in the NIC on
transparent mode Firepower 4100 and 9300 series devices. Multicast offload is
available for bridge groups that contain two and only two interfaces.

There
are no new commands or ASDM screens for this feature.

Customizable ARP rate limiting

You can
set the maximum number of ARP packets allowed per second. The default value
depends on your ASA model. You can customize this value to prevent an ARP storm
attack.

We added the following commands:
arp
rate-limit, show arp rate-limit

Ethertype rule support for the IEEE 802.2 Logical Link Control
packet's Destination Service Access Point address.

You can
now write Ethertype access control rules for the IEEE 802.2 Logical Link
Control packet's Destination Service Access Point address. Because of this
addition, the
bpdu keyword
no longer matches the intended traffic. Rewrite
bpdu rules
for
dsap 0x42.

We modified the following commands:
access-list
ethertype

Remote Access Features

Pre-fill/Username-from-cert feature for multiple context mode

AnyConnect SSL support is extended, allowing
pre-fill/username-from-certificate feature CLIs, previously available only in
single mode, to be enabled in multiple context mode as well.

We did not modify any commands.

Flash
Virtualization for Remote Access VPN

Remote
access VPN in multiple context mode now supports flash virtualization. Each
context can have a private storage space and a shared storage place based on
the total flash that is available:

Private storage—Store files associated only with that user and
specific to the content that you want for that user.

Shared storage—Upload files to this space and have it accessible
to any user context for read/write access once you enable it.

We introduced the following commands:
limit-resource storage, storage-url

AnyConnect client profiles supported in multiple context mode

AnyConnect client profiles are supported in multiple context
mode. To add a new profile using ASDM, you must have the AnyConnect Secure
Mobility Client release 4.2.00748 or 4.3.03013 and later.

Stateful
failover for AnyConnect connections in multiple context mode

Stateful
failover is now supported for AnyConnect connections in multiple context mode.

Localization is supported globally. There is only one set of
localization files that are shared across different contexts.

We did not modify any commands.

Umbrella
Roaming Security module support

You can
choose to configure the AnyConnect Secure Mobility Client's Umbrella Roaming
Security module for additional DNS-layer security when no VPN is active.

We did not modify any commands.

IPsec/ESP Transport Mode Support for IKEv2

Transport mode is now supported for ASA IKEv2 negotiation. It
can be used in place of tunnel (default) mode. Tunnel mode encapsulates the
entire IP packet. Transport mode encapsulates only the upper-layer protocols of
an IP packet. Transport mode requires that both the source and destination
hosts support IPSec, and can only be used when the destination peer of the
tunnel is the final destination of the IP packet.

We modified the following command:
crypto
map set ikev2 mode

Per-packet routing lookups for IPsec inner packets

By
default, per-packet adjacency lookups are done for outer ESP packets; lookups
are not done for packets sent through the IPsec tunnel. In some network
topologies, when a routing update has altered the inner packet’s path, but the
local IPsec tunnel is still up, packets through the tunnel may not be routed
correctly and fail to reach their destination. To prevent this, use the new
option to enable per-packet routing lookups for the IPsec inner packets.

We added the following command:
crypto
ipsec inner-routing-lookup

Certificate and Secure
Connection Features

ASA
client checks Extended Key Usage in server certificates

Syslog
and Smart licensing Server Certificates must contain “ServerAuth” in the
Extended Key Usage field. If not, the connection fails.

Mutual
authentication when ASA acts as a TLS client for TLS1.1 and 1.2

If the server requests a
client certificate from the ASA for authentication, the ASA will send the
client identity certificate configured for that interface. The certificate is
configured by the
ssl
trust-point command.

PKI
debug messages

The ASA
PKI module makes connections to CA servers such as SCEP enrollment, revocation
checking using HTTP, etc. All of these ASA PKI exchanges will be logged as
debug traces under debug crypto ca message 5.

ASA SSL
Server mode matching for ASDM

For an
ASDM user who authenticates with a certificate, you can now require the
certificate to match a certificate map.

We modified the following command:
http
authentication-certificate match

TLS
client processing now supports rules for verification of a server identity
defined in RFC 6125, Section 6. Identity verification will be done during PKI
validation for TLS connections to the Syslog Server and the Smart Licensing
server only. If the presented identity cannot be matched against the configured
reference identity, the connection is not established.

The ASA
crypto system has been updated to comply with new key zeroization requirements.
Keys must be overwritten with all zeros and then the data must be read to
verify that the write was successful.

SSH
public key authentication improvements

In
earlier releases, you could enable SSH public key authentication
(ssh
authentication) without also enabling AAA SSH authentication
with the Local user database
(aaa authentication ssh
console LOCAL). The configuration is now fixed so that you
must explicitly enable AAA SSH authentication. To disallow users from using a
password instead of the private key, you can now create a username without any
password defined.

We modified the following commands:
ssh
authentication, username

Interface Features

Increased MTU size for the ASA on the
Firepower 4100/9300 chassis

You can
set the maximum MTU to 9188 bytes on the Firepower 4100 and 9300; formerly, the
maximum was 9000 bytes. This MTU is supported with FXOS 2.0.1.68 and later.

We modified the following command:
mtu

Routing Features

Bidirectional Forwarding Detection (BFD) Support

The ASA
now supports the BFD routing protocol. Support was added for configuring BFD
templates, interfaces, and maps. Support for BGP routing protocol to use BFD
was also added.

DHCPv6 Prefix Delegation client—The ASA obtains delegated
prefix(es) from a DHCPv6 server. The ASA can then use these prefixes to
configure other ASA interface addresess so that StateLess Address Auto
Configuration (SLAAC) clients can autoconfigure IPv6 addresses on the same
network.

BGP
router advertisement for delegated prefixes

DHCPv6 stateless server—The ASA provides other information such
as the domain name to SLAAC clients when they send Information Request (IR)
packets to the ASA. The ASA only accepts IR packets, and does not assign
addresses to the clients.

Improved
sync time for dynamic ACLs from AnyConnect when using Active/Standby failover

When you
use AnyConnect on a failover pair, then the sync time for the associated
dynamic ACLs (dACLs) to the standby unit is now improved. Previously, with
large dACLs, the sync time could take hours during which time the standby unit
is busy syncing instead of providing high availability backup.

We did not modify any commands.

Licensing Features

Permanent License Reservation for the ASAv

For
highly secure environments where communication with the Cisco Smart Software
Manager is not allowed, you can request a permanent license for the ASAv. In
9.6(2), we also added support for this feature for the ASAv on Amazon Web
Services. This feature is not supported for Microsoft Azure.

Note

Not
all accounts are approved for permanent license reservation. Make sure you have
approval from Cisco for this feature before you attempt to configure it.

Due to
an update to the Smart Agent (to 1.6.4), the request and authorization codes
now use shorter strings.

We did not modify any commands.

Permanent License Reservation for the ASA on the
Firepower 4100/9300 chassis

For
highly secure environments where communication with the Cisco Smart Software
Manager is not allowed, you can request a permanent license for the ASA on the
Firepower 9300 and Firepower 4100. All available license entitlements are
included in the permanent license, including the Standard Tier, Strong
Encryption (if qualified), Security Contexts, and Carrier licenses. Requires
FXOS 2.0.1.

All
configuration is performed on the
Firepower 4100/9300 chassis;
no configuration is required on the ASA.

Smart
Agent Upgrade for ASAv to v1.6

The
smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports
permanent license reservation and also supports setting the Strong Encryption
(3DES/AES) license entitlement according to the permission set in your license
account.

Note

If you
downgrade from Version 9.5(2.200), the ASAv does not retain the licensing
registration state. You need to re-register with the
license smart register
idtokenid_tokenforce command; obtain the ID token from the
Smart Software Manager.

We introduced the following commands:
show
license status, show license summary, show license udi, show license usage

We modified the following commands:
show
license all, show tech-support license

We deprecated the following commands:
show
license cert, show license entitlement, show license pool, show license
registration

Also in 9.5(2.200).

Monitoring Features

Packet
capture of type asp-drop supports ACL and match filtering

When you
create a packet capture of type asp-drop, you can now also specify an ACL or
match option to limit the scope of the capture.

We modified the following command:
capture type asp-drop

Forensic
Analysis enhancements

You can
create a core dump of any process running on the ASA. The ASA also extracts the
text section of the main ASA process that you can copy from the ASA for
examination.

Two
counters were added that allow Netflow users to see the number of Layer 4
packets being sent in both directions on a connection. You can use these
counters to determine average packet rates and sizes and to better predict
traffic types, anomalies, and events.

We did not modify any commands.

SNMP
engineID sync for Failover

In a
failover pair, the SNMP engineIDs of the paired ASAs are synced on both units.
Three sets of engineIDs are maintained per ASA—synced engineID, native engineID
and remote engineID.

An
SNMPv3 user can also specify the engineID of the ASA when creating a profile to
preserve localized
snmp-server user authentication and privacy options. If a
user does not specify the native engineID, the
show
running config output will show two engineIDs per user.

We
modified the following command:
snmp-server user

Also in 9.4(3).

REST API Features

REST API Version 1.3.2

We added support for the REST API Version 1.3.2.

New Features in ASA
9.6(1)

Released:
March 21, 2016

Note

The ASAv
9.5.2(200) features, including Microsoft Azure support, are not available in
9.6(1). They are available in 9.6(2).

Feature

Description

Platform Features

ASA for
the
Firepower 4100 series

We
introduced the ASA for the Firepower 4110, 4120, and 4140.

Requires
FXOS 1.1.4.

We did not add or modify any commands.

SD card
support for the ISA 3000

You can
now use an SD card for external storage on the ISA 3000. The card appears as
disk3 in the ASA file system. Note that plug and play support requires hardware
version 2.1 and later. Use the
show
module command to check your hardware version.

We did not add or modify any commands.

Dual
power supply support for the ISA 3000

For dual
power supplies in the ISA 3000, you can establish dual power supplies as the
expected configuration in the ASA OS. If one power supply fails, the ASA issues
an alarm. By default, the ASA expects a single power supply and won't issue an
alarm as long as it includes one working power supply.

We introduced the following command:
power-supply
dual.

Firewall Features

Diameter inspection improvements

You can
now inspect Diameter over TCP/TLS traffic, apply strict protocol conformance
checking, and inspect Diameter over SCTP in cluster mode.

We introduced or modified the following commands:
client
clear-text,
inspect
diameter,
strict-diameter.

SCTP stateful inspection in cluster mode

SCTP
stateful inspection now works in cluster mode. You can also configure SCTP
stateful inspection bypass in cluster mode.

We did not add or modify any commands.

H.323
inspection support for the H.255 FACILITY message coming before the H.225 SETUP
message for H.460.18 compatibility.

You can
now configure an H.323 inspection policy map to allow for H.225 FACILITY
messages to come before the H.225 SETUP message, which can happen when
endpoints comply with H.460.18.

We introduced the following command:
early-message.

Cisco
Trustsec support for Security Exchange Protocol (SXP) version 3.

Cisco
Trustsec on ASA now implements SXPv3, which enables SGT-to-subnet bindings,
which are more efficient than host bindings.

You can
identify flows that should be off-loaded from the ASA and switched directly in
the NIC for the
Firepower 4100 series.

Requires
FXOS 1.1.4.

We did not add or modify any commands.

Remote Access Features

IKEv2 Fragmentation, RFC-7383 support

The ASA
now supports this standard fragmentation of IKEv2 packets. This allows
interoperability with other IKEv2 implementations such as Apple, Strongswan
etc. ASA continues to support the current, proprietary IKEv2 fragmentation to
maintain backward compatibility with Cisco products that do not support
RFC-7383, such as the AnyConnect client.

The
crypto engine
accelerator-bias command is now supported on the ASA security
module on the Firepower 9300 and
Firepower 4100 series.
This command lets you “bias” more crypto cores toward either IPSec or SSL.

We modified the following command:
crypto engine
accelerator-bias

Configurable SSH encryption and HMAC algorithm.

Users
can select cipher modes when doing SSH encryption management and can configure
HMAC and encryption for varying key exchange algorithms. You might want to
change the ciphers to be more or less strict, depending on your application.
Note that the performance of secure copy depends partly on the encryption
cipher used. By default, the ASA negotiates one of the following algorithms in
order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr
aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the
performance is much slower than a more efficient algorithm such as aes128-cbc.
To change the proposed ciphers, use
ssh cipher encryption
custom aes128-cbc, for example.

When you
enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you can
now redirect traffic sent an to IPv6 address.

We added functionality to the following command: http redirect

Also available in 9.1(7)
and 9.4(3).

Routing Features

IS-IS
routing

The ASA
now supports the Intermediate System to Intermediate System (IS-IS) routing
protocol. Support was added for routing data, performing authentication, and
redistributing and monitoring routing information using the IS-IS routing
protocol.

Support
for site-specific IP addresses in Routed, Spanned EtherChannel mode

For
inter-site clustering in routed mode with Spanned EtherChannels, you can now
configure site-specific IP addresess in addition to site-specific MAC
addresses. The addition of site IP addresses allows you to use ARP inspection
on the Overlay Transport Virtualization (OTV) devices to prevent ARP responses
from the global MAC address from traveling over the Data Center Interconnect
(DCI), which can cause routing problems. ARP inspection is required for some
switches that cannot use VACLs to filter MAC addresses.

We modified the following commands:
mac-address, show interface

Administrative Features

Longer
password support for local
username and
enable
passwords (up to 127 characters)

You can
now create local
username and
enable
passwords up to 127 characters (the former limit was 32). When you create a
password longer than 32 characters, it is stored in the configuration using a
PBKDF2 (Password-Based Key Derivation Function 2) hash. Shorter passwords
continue to use the MD5-based hashing method.

We modified the following commands:
enable, username

Support
for the cempMemPoolTable in the CISCO-ENHANCED-MEMPOOL-MIB

The
cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported. This is a
table of memory pool monitoring entries for all physical entities on a managed
system.

Note

The
CISCO-ENHANCED-MEMPOOL-MIB uses 64-bit counters and supports reporting of
memory on platforms with more than 4GB of RAM.

We did not add or modify any commands.

Also available in 9.1(7)
and 9.4(3).

REST API
Version 1.3.1

We added
support for the REST API Version 1.3.1.

Upgrade the
Software

This section provides the upgrade
path information and a link to complete your upgrade.

ASA Upgrade Path

To view your current version and model, use one of the following methods:

CLI—Use the show version command.

ASDM—Choose Home > Device Dashboard > Device Information.

See the following table for the upgrade path for your version. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.

Current Version

Upgrade Path

9.7(x)

—

Any of the following:

→ 9.8(x)

→ 9.7(x)

9.6(x)

—

Any of the following:

→ 9.8(x)

→ 9.7(x)

→ 9.6(x)

9.5(x)

—

Any of the following:

→ 9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

9.4(x)

—

Any of the following:

→ 9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

9.3(x)

—

Any of the following:

→ 9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

9.2(x)

—

Any of the following:

→ 9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4)

—

Any of the following:

→ 9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

9.1(1)

→ 9.1(2)

Any of the following:

→ 9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

9.0(2), 9.0(3), or 9.0(4)

—

Any of the following:

→ 9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

9.0(1)

→ 9.0(2), 9.0(3), or 9.0(4)

Any of the following:

→ 9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.6(1)

→ 9.0(2), 9.0(3), or 9.0(4)

Any of the following:

→ 9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.5(1)

→ 9.0(2), 9.0(3), or 9.0(4)

Any of the following:

→ 9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.4(5+)

—

Any of the following:

→ 9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.4(1) through 8.4(4)

Any of the following:

→ 9.0(2), 9.0(3), or 9.0(4)

→ 8.4(6)

→ 9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.3(x)

→ 8.4(6)

Any of the following:

→ 9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.2(x) and earlier

→ 8.4(6)

Any of the following:

→ 9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

Upgrade Link

Open and Resolved
Bugs

The open and resolved bugs for this release are accessible through the
Cisco Bug Search Tool. This web-based tool provides you with access to the
Cisco bug tracking system, which maintains information about bugs and
vulnerabilities in this product and other Cisco hardware and software products.

Note

You must have a Cisco.com account to log in and access the Cisco Bug
Search Tool. If you do not have one, you can
register for an account. If you do not
have a Cisco support contract, you can only look up bugs by ID; you cannot run
searches.